Tuesday, November 27, 2012

Connection Filters In Weblogic

Connection filters are one of the additional security Feature provides by Weblogic. Weblogic provides
Security for an domain level, application level and application component level using security roles and users.

Connection Filter is another feature provided by weblogic, which is a network layer security. These connection filters allow unwanted access to resources. For example these can be used in blocking a IP address in accessing the admin console of a weblogic.

Weblogic has a default connection filter implementation which connection filter rules that we configured and based on them it allows/blocks access to resources.

For adding a Connection Filter to a weblogic domain, Domain Name ->Security -> Filter. 
Connection Filter:
Connection Filter Rules:
IP address * * allow# Apache 
IP address * * allow#

Some thing like * * allow#Apache * * deny#Deny all * 7001 deny

When We check in the config.xml file we can see,
 <connection-filter-rule> * * allow# Apache</connection-filter-rule>
<connection-filter-rule> * * deny#Deny All</connection-filter-rule>
<connection-filter-rule> * 7001 deny</connection-filter-rule>

The First line says to allow access to every thing for the IP address last  line will deny all traphic ( to all local addresses (*) on admin port (7001).The Rules in here are validated from top to bottom.

There are some syntax rules while configuring the filters
  • Each rule must be written on a single line.
  • Tokens in a rule are separated by white space.
  • A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored.
  • Whitespace before or after a rule is ignored.
  • Lines consisting only of whitespace or comments are skipped.
  • Filters are activated to all servers in your domain, so remember you can lockout yourself (admin console) or even internal weblogic communication between managed servers and the admin server.
  • Filters are stored in the config.xml file, so if you really locked yourself out -> Look there

The connection filter syntax is

targetAddress  localAddress  localPort   action        protocols

targetAddress specifies one or more systems to filter.

localAddress defines the host address of the WebLogic Server instance. (If you specify an asterisk (*), the match returns all local IP addresses.)

localPort defines the port on which the WebLogic Server instance is listening. (If you specify an asterisk (*), the match returns all available ports on the server).

action specifies the action to perform. This value must be allow or deny.

protocols is the list of protocol names to match. The following protocols may be specified: http, https, t3, t3s,ldap, ldaps, iiop, iiops, and com.

If no protocol is defined, all protocols will match a rule.

There are cases where you will see Notices like

####<Nov 27, 2012 4:31:22 AM CST> <Notice> <Socket> <omhq19ea> < admin> <ExecuteThread: '5' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <> <1354012282145> <BEA-000445> <Connection rejected, filter blocked Socket[addr=x.x.x.x.x,port=62719,localport=29902], [Security:090220]rule 81>

####<Nov 27, 2012 4:49:25 AM CST> <Notice> <Socket> <omhq19eb> < admin> <ExecuteThread: '4' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <> <1354013365338> <BEA-000445> <Connection rejected, filter blocked Socket[addr=x.x.x.x,port=62941,localport=29802], [Security:090220]rule 107>

Just check the connection filters are according to the syntax.

Happy Learning.